[Bug 2217] Allow using _ssh SVCB records

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Nov 13 23:57:43 AEDT 2023


--- Comment #3 from chrysn at fsfe.org ---
With the advent of RFC9460, I've updated the title (sorry for the
double edit) to using SVCB records instead of SRV.

While the essence stays the same, SVCB records are described better,
especially with respect to their security properties, and provide more
flexible metadata, so I think they are the way to go.

How it would work (2023 edition)

* When connecting to a hostname host.example.com, SSH sends in parallel
(as it does A and AAAA records) a request for `SVCB
_ssh.host.example.com`. If the recursive resolver didn't already follow
the chain of alias records and eventually A(AAA) records, it follows
them on its own through the mechanism described in RFC9460.

* SSH selects any of the lowest priority results (usually just "the"
result, and IIRC from the RFC it's fine to just try one; failover can
still be added later). If specified it picks the port from it, and
connects to that address and port.


IIUC there should be a spec for using SSH with SVCB before using it --
at least there needs to be an entry in "Underscored and Globally Scoped
DNS Node Names"
I'm happy to help out with the paperwork there (even if it means
writing an internet draft), but I won't take any action unless there is
at least a friendly snort from the SSH community indicating that it
would be taken up.

Side benefits

I've mentioned the convenience of server-configured ports in the
original report already. With the state of the IPv6 migration, SVCB
records (or anything that allows server configured ports) bring
additional benefits: Some users' ISPs offer only either static IPv4
addresses and no IPv6, or regular IPv6 but CGNAT. This forces users who
need to reach their home servers (eg. from a work environment that has
no IPv6 yet) into a no-IPv6 situation. If they can use PCP, they can
open ports locally, and PCP will tell them a public IP address and port
(generally not 22, and generally neither stable) to use. Using dynamic
DNS and SVCB records, they can publish their home address including the
port on a stable location.

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list